In connection with the statement posted to Symantec’s Blog on March 24, 2017, Symantec has been reaching out to its customers. The text of our most recent customer communication is below:
On March 23, Google posted a blog on a public forum outlining a set of proposals targeted at Symantec SSL/TLS certificates. This was unexpected, and I wanted to reach out to explain what this proposal means for Symantec customers and how we will respond to Google’s proposal, if implemented, in order to ensure business continuity for you. I also want to address Google’s claims about Symantec’s certificate issuance processes and reaffirm our continued commitment to transparency of our practices as a public certificate authority.
First and foremost, I want to reassure you that you can continue to trust Symantec SSL/TLS certificates. Google has outlined proposals, not actions. We object to its proposals and intend to engage with Google to work through its concerns.
To be specific, the key terms of Google’s proposal are as follows:
Over time, Symantec would need to revalidate and reissue previously issued certificates
Maximum validity of newly issued Symantec Certificates would be reduced to 9 months
Extended Validation (EV) treatment of Symantec certificates would be removed for at least one year
In the event Google implements its proposal, Symantec will ensure your websites, webservers or web applications continue to work across browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period. In addition, Google’s proposal requires shorter validity certificates, which we would support. We anticipate Google may attempt to impose this shorter validity period on the entire industry, as they have previously tried to do so through an initiative at the CA/Browser forum that was voted down. Shorter certificate validity periods increase customer expense, which we are working to reduce by making considerable investments in automation. We would work with our customers to provide tools to manage any validity period changes that Google might unilaterally impose.
Finally, while Google and Chrome have long been working to remove special treatment for EV certificates in general, other browsers continue to recognize it. We will continue to work with Google and other members of the CA/Browser forum on security best practices for the industry. Our customers get value from the extensive validation on our EV certificates, and derive meaningful results from them. Our brand is powerful: our certificates secure more than 80% of ecommerce revenue and our Norton Shopping Guarantee on average increases ecommerce revenue by more than 5%.
We are proud to be one of the world’s leading certificate authorities. We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet. Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers. Symantec has also been a champion of Certification Authority Authorization (CAA), and asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA. Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.
Google’s blog statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event referred to by Google, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.
We do not believe Google’s proposal is in the best interest of the Internet community. We are working to resolve the situation with Google in the shared interests of our joint customers and partners.
In closing, we take certificate issuance very seriously. The events that prompted Google to propose these changes have been addressed with the utmost transparency. We are working hard to ensure that this proposal does not create disruption for you. Please let me know if you would like to schedule a call.
Executive Vice President & GM, Symantec Website Security